[BZ 432811] EPEL key in RHEL

Michael DeHaan mdehaan at redhat.com
Thu Sep 18 19:43:13 UTC 2008 

Stephen John Smoogen wrote:
> On Thu, Sep 18, 2008 at 1:10 PM, Mike McLean <mikem at redhat.com> wrote:
>   
>> Stephen John Smoogen wrote:
>>     
>>> I do agree we need to start from somewhere. I think we should start
>>> from the redhat key since that is one that is locked on lots of cdrom
>>> media etc for people to trust against. After that, we should have the
>>> EPEL key signed by that one and then the resulting fingerprints
>>> published in appropriate places.
>>>       
>> o boy. That sounds like a tall order. We'll have to ask pm and legal about
>> that one.
>>
>> At any rate, I don't think the signing you suggest will make installing
>> epel-release any easier for anyone.
>>
>>     
>
> In the end its not about making the install easier. Its more about
> trust of that installation. If the Fedora Keys are signed by the Red
> Hat master GPG key... should EPEL be also signed if it is being used
> for various Red Hat projects (spacewalk-0.3, cobbler, etc).
>
>
>   

Slight clarification -- Any products resulting from the above projects 
will likely have their bits for RHEL end up distributed through RHEL 
channels (i.e. RHN).   I can't speak to Spacewalk though, but Cobbler 
will still be available in EPEL regardless.   I like EPEL, it's great 
and full of some nice software, but Red Hat does not support bits from 
EPEL, so we can't source the bits from there.    Spacewalk is probably 
considered a "layered" product, so I'm not sure what the stance on that 
in EPEL is -- Free IPA /is/ in Fedora, however, and we have had the 
previous discussion about other bits on this list.   Either way, I'm not 
an authority on the above :)

That all being said, I'd love to see the packages from EPEL signed in 
some form as there are a /lot/ of users using those same apps straight 
from EPEL, support or no -- they use them and they should be signed.   
This has nothing to do with whether or not they are to be used for Red 
Hat things or otherwise, it's just a good thing to do since people 
depend on those repos.

As for distributing an epel-release with RHEL, I'm not sure if that 
would happen or not as EPEL doesn't come with support.  I probably would 
not expect that to occur, but I think lots of folks do know about EPEL 
if they want to use it.

--Michael

More information about the epel-devel-list mailing list